Archive for December, 2010

ICANN has released findings from its August 2010 survey of national computer security incident response teams or CSIRTs. Surveys were distributed to 55 CSIRTs with national responsibility, via one of four channels: the Computer Emergency Response Team Coordination Center at Carnegie Mellon University (CERT/CC) (distributed worldwide), the European Network and Information Security Agency (ENISA, covering the European region), APCERT (covering the Asia-Pacific region) and the Organization of Islamic Conference-CERT secretariat (OIC-CERT, covering Islamic countries) to 55 CSIRTs with national responsibility. The full report notes that “the survey results are not comprehensive enough data to draw any broad conclusions.”

The U.S. Department of Homeland Security is mounting an effort similar to this initiative promoting DNSSEC deployment, this time for the Internet’s routing protocol, border gateway patrol, or BGP. Similarities between the two efforts were noted in an interview with Network World, Douglas Maughan, Ph.D., who directs the cybersecurity division in the DHS Science and Technology Directorate. Of DNSSEC adoption, he said:

I’m optimistic. Over 60 zones are signed. The key thing in my mind was the result of .org’s operational experience. They saw minimal impact of DNSSEC to their operational performance. Everybody was claiming that the impact would be a 30% to 50% performance hit, but .org will tell you that’s not the case. We’ve been able to shake out any performance concerns that the naysayers had and show them that it works. Now we’re getting .net and .com signed. We’re starting to have discussions with CISOs of major companies like PayPal and Google to say that now that .com is being signed, what are your plans? We’ve made a lot of progress this year. We signed the root, and some said that would never happen.

Maughan also noted that he would encourate corporate CIOs to “to get on the DNSSEC bandwagon as soon as they can, especially if they are a dot-com. This becomes a way for them to provide another layer of security for their own infrastructure and for the people who use their infrastructure.”

Government Computer News reports that the U.S. financial services industry will team up with the U.S. Department of Homeland Security and the U.S. National Institute of Standards and Technology on cybersecurity research and development, with the goal of speeding commercialization of cybersecurity research in a critical sector. The move could ease DNSSEC deployment with the creation of new testbeds and other efforts.

A White House blog post by Aneesh Chopra, U.S. chief technology officer, and Howard A. Schmidt, cybersecurity coordinator and special assistant to the President, notes that Financial Services Sector Coordinating Council (FSSCC)’s ” participants include banks, credit unions, insurance companies, payment services, trading firms, and others…[It] supports research and development initiatives to protect the physical and electronic infrastructure of the banking and finance sector and to protect its customers by enhancing the sector’s resilience and integrity.”

Both NIST and the DHS Science & Technology Directorate are partners in the DNSSEC Deployment Coordination Initiative, and GCN notes that “NIST also has worked with DHS in establishing testbeds for advanced networking tools and security technologies such as the DNS Security Extensions (DNSSEC) and Border Gateway Protocol Security. This early work could speed the establishment of a test environment for financial services, Romine said. “A lot of the groundwork has been laid.” Charles Romine is the acting associate director for laboratory programs at NIST.

…largest yet to be DNSSEC enabled, with more than 13 million domain name registrations worldwide. The .net signing also represents one of the most critical implementations of DNSSEC technology, since .net serves as the underpinning for many critical Internet functions.

The announcement came at the end of the ICANN meeting in Cartagena, which featured DNSSEC in the president’s opening statement, a DNSSEC for Beginners workshop and a full day session on deployment in the region and around the world.

VeriSign expects to sign the .com zone in the first quarter of 2011. During the ICANN meeting this week, VeriSign executives pointed to a Forrester Research study–expected to be released next week–that they say demonstrates increasing demand for DNSSEC in enterprises, fueled by higher customer demand.

DNSSEC once again plays a major role at this week’s ICANN meeting, taking place in Cartagena de Indias from December 5-10.

ICANN President Rod Beckstrom gave a report that opened the meeting, and noted:

Thanks to community efforts, DNSSEC is being deployed aggressively around the world. Fifty TLDs have been signed and are in the root, and at least 15 more are in the works. A number of new registry operators are implementing DNSSEC in top level domain zones. .net will be ready for DNSSEC validation this week – a major milestone – and .com is on track for validation by March 2011, when we meet in San Francisco for the 40th ICANN meeting.

Yesterday, a workshop on DNSSEC for Beginners featured speakers from VeriSign, Nominet and ISC, as well as Sparta’s Russ Mundy, a partner in the DNSSEC Deployment Coordination Initiative. Go to the link for resources from the workshop, and listen to an MP3 audiocast here.

Noting that “we are now entering an exciting phase where DNSSEC can become an operational reality for everyone,” Initiative partners and a host of speakers will convene on Wednesday for an all-day DNSSEC Workshop. Panels and presentations in this workshop will cover:

DNSSEC adoption issues for registries and registrars and successful marketing approaches for DNSSEC.

The diversity of approaches for implementing DNSSEC across both registrars and registries, with a focus on how the size of each organization affects the tools and technologies deployed.

An overview of open-source DNSSEC tools.

Presentations on the uptake of DNSSEC validating resolvers from a group of leading ISPs.

Updates on regional and worldwide DNSSEC deployment activities.

Featured will be speakers from the Initiative and from Afilias, AusRegistry, Comcast, CZ.NIC, GoDaddy, ICANN, Internet Infrastructure Foundation (.SE), Internet Systems Corporation, LACTLD, Monster, NIC.br, Nominet, Public Interest Registry, SIDN, SURFNet, and VeriSign. Remote participation can be accessed through this virtual meeting room. Links to presentations are already available, and transcripts will be available later this week at the main workshop link noted above.

VeriSign announced that it will offer a new in-the-cloud DNSSEC signing service to registrars to help them sign domain names and manage keys without investing in additional equipment and resources. Pat Kane, Assistant General Manager of Naming Services at VeriSign, noted, “we want to do everything we can to encourage the adoption of DNSSEC, which is an essential tool for securing the Internet.”

The new service provides the initial cryptographic signing, routine re-signing of zone resource records and management of key rollover schedules and zone re-signing. An evaluation period will be offered to VeriSign’s registrar partners to review the service; the offer ends at the end of 2011.